dunkirk.sh / ncae-tools
this repo has no description
fork atom
ncae-tools / 03-ssh-service.md
at main 3.6 kB view raw view code

SSH Service#

Service Name#

  • ssh or sshd (works on most distributions)

Check Service Status#

systemctl status ssh
systemctl status sshd  # Also works

Configuration Location#

Main directory: /etc/ssh/

Key files:

  • /etc/ssh/sshd_config - Server configuration (most important)
  • /etc/ssh/ssh_config - Client configuration
  • /etc/ssh/ssh_host_*_key - Server private keys (multiple algorithms)
  • /etc/ssh/ssh_host_*_key.pub - Server public keys

Important sshd_config Options#

Port 22                    # Default SSH port
ListenAddress 0.0.0.0     # Listen on all IPs (or specify one)
PermitRootLogin prohibit-password  # Or "yes" or "no"

Port#

Default is 22. Can change to non-standard port for security.

ListenAddress#

  • 0.0.0.0 = listen on all IP addresses
  • Or specify a single IP to restrict access

PermitRootLogin#

  • no - root cannot SSH in at all
  • yes - root can SSH in with password
  • prohibit-password - root must use key authentication

Connecting to SSH Server#

Basic syntax:

ssh username@ip_address
ssh username@hostname.com

Example:

ssh sandbox@192.168.1.100

First connection prompts to accept server's fingerprint (say yes).

Host Keys (Server-Side)#

SSH server has multiple key pairs in /etc/ssh/:

  • RSA keys: ssh_host_rsa_key and ssh_host_rsa_key.pub
  • ECDSA keys: ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
  • ED25519 keys: ssh_host_ed25519_key and ssh_host_ed25519_key.pub

These are asymmetric key pairs:

  • Private key stays on server (read-only to root)
  • Public key shared with clients
  • Data encrypted with one key only decrypts with the other

Regenerating Host Keys#

If keys are compromised (or cloned VMs have identical keys):

sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

Options:

  • -t ecdsa - key type (also: rsa, ed25519)
  • -f /path/to/key - where to save
  • Will prompt to overwrite existing key
  • Can add passphrase or leave blank

Client-Side Known Hosts#

Location: ~/.ssh/known_hosts

Contains public keys of servers you've connected to before.

If server key changes, you'll get a warning. To fix:

# Remove old entry for that IP
ssh-keygen -R 192.168.1.100

# Or delete the entire file and re-accept connections
rm ~/.ssh/known_hosts

Passwordless Authentication#

Allows login without password using key pairs.

Setup process:

  1. Generate key pair on client (or server acting as admin):
ssh-keygen -t ecdsa -f ~/id_bob_key
  1. Create .ssh directory for user:
sudo mkdir /home/bob/.ssh
sudo chmod 700 /home/bob/.ssh
sudo chown bob:bob /home/bob/.ssh
  1. Copy public key to authorized_keys:
sudo cp id_bob_key.pub /home/bob/.ssh/authorized_keys
sudo chmod 644 /home/bob/.ssh/authorized_keys
sudo chown bob:bob /home/bob/.ssh/authorized_keys
  1. Transfer private key to client using SCP:
scp sandbox@192.168.1.100:/path/to/id_bob_key .
  1. Connect using the key:
ssh -i id_bob_key bob@192.168.1.100

Critical permissions:

  • .ssh/ directory: 700 (drwx------)
  • authorized_keys file: 644 (-rw-r--r--)
  • Private keys: 600 (-rw-------)
  • Public keys: 644 (-rw-r--r--)

SCP (Secure Copy)#

Copy files over SSH:

# Copy from remote to local
scp user@remote:/path/to/file .

# Copy from local to remote  
scp localfile user@remote:/path/

# Use sudo on remote side
sudo scp user@remote:/root/file .

Exit SSH Session#

exit

Restart After Config Changes#

sudo systemctl restart ssh